- Critical Telnet flaw (CVE-2026-24061) exposes 800,000 devices worldwide
- Attackers gain root access and try to deploy Python malware after bypassing authentication
- Patch released; Users are urged to disable Telnet or block port 23.
Experts have warned that a significant security vulnerability has been detected in Telnet, an ancient remote access tool, which is already being exploited on a large scale.
Shadowserver researchers said they saw nearly 800,000 IP addresses with Telnet fingerprints, suggesting a huge attack surface.
Telnet is an old network protocol that allows users to log into devices remotely. Because it is outdated and insecure, it is no longer supposed to be exposed to the Internet, but hundreds of thousands of devices still are, especially older Linux systems, routers, and IoT devices.
Patches and solutions
The abused authentication bypass vulnerability is tracked as CVE-2026-24061 and was assigned a severity score of 9.8/10 (critical). It affects GNU InetUtils versions 1.9.3 (released 11 years ago in 2015) to 2.7. It was fixed earlier this month, in version 2.8.
Citing data from Shadowserver, beepcomputer noted that the majority of Telnet fingerprint devices come from Asia (380,000), followed by 170,000 from South America and around 100,000 from Europe. We don’t know how many of these devices have been protected against this vulnerability, but it’s safe to assume that not all have been.
“We are ~800,000 telnet instances exposed globally – naturally they shouldn’t be. [..] “Telnet should not be publicly exposed, but it often is, especially on legacy IoT devices,” the Shadowserver Foundation said in its report.
The fix was released on January 20, and within a day, threat actors began searching for vulnerable endpoints, security researchers GreyNoise said. Initially, at least 18 IP addresses performed 60 Telnet sessions, gaining access to compromised devices without authentication. In the vast majority of cases (83%), attackers gained ‘root’ access and used it to attempt to deploy Python malware. However, most attempts failed.
Those who cannot apply the patch immediately should disable the telnetd service or block TCP port 23 on all firewalls.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
